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(57) Abstract 

The invention concerns implementation of 
data transmission in a mobile network including 
base transceiver stations (BTS) forming radio cells, 
mobile stations (MS) located in the areas of the 
radio cells and being in connection with the base 
transceiver stations over a radio path, and at least 
one base station controller (BSC), which through 
a transmission network is in connection with the 
base transceiver stations. In at least a part of 
the transmission network data is transmitted in an 
encrypted form. In order to achieve good data 
security in the transmission network and in order 
to achieve as easy processing as possible of the 
signals of the transmission network, the encryption 
is carried out in an internal card unit (TRU) of the 
base tansceiver station before framing of the bit 
flow to be transmitted to the transmission network. 
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Data transmission method with encryption per- 
formed in an internal card unit (TRU) 

Field of the invention 

The invention relates generally to data transmission taking place in a 
5 mobile network, more specifically to data transmission implemented in the 
fixed part of a mobile network. In this context, the fixed part means that part of 
the mobile network which extends in the uplink direction of the transmission 
link from the base transceiver stations, especially connections between the 
base station controller and a base transceiver station or between two succes- 
1 0 sive base transceiver stations: Although the network is called a fixed network 
in this context, it should be noted that this fixed network or its part can be im- 
plemented e.g. with the aid of radio links. 

Background of the invention 

15 To illustrate the typical architecture of a mobile network, Figure 1 

shows the structure of the known GSM mobile communications system (Global 
System for Mobile Communications), using abbreviations known from the con- 
text of the GSM system. The system comprises several open interfaces. The 
transactions relating to crossing of interfaces have been defined in the stan- 

20 dards, in which context the operations to be carried out between the interfaces 
have also been largely defined. The network subsystem (NSS) of the GSM 
system comprises a mobile services switching center (MSC) through whose 
system interface the mobile network is connected to other networks, such as a 
public switched telephone network (PSTN), an integrated services digital net- 

25 work (ISDN), other mobile networks (Public Land Mobile Networks PLMN), and 
packet switched public data networks (PSPDN) and circuit switched public 
data networks (CSPDN). The network subsystem is connected across the A 
interface to a base station subsystem (BSS) comprising base station control- 
lers (BSC), each controlling the base transceiver stations (BTS) connected to 

30 them through a transmission network. The interface between the base station 
controller and the base stations connected thereto is the Abis interface. The 
base stations, on the other hand, are in radio communication with mobile sta- 
tions MS across the radio interface. 

The GSM network is adapted to other networks by means of the in- 

35 terworking function (IWF) of the mobile services switching center. On the other 
hand, the mobile services switching center is connected to the base station 
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controllers with PCM trunk lines crossing the A interface. The tasks of the mo- 
bile services switching center include call control, control of the base station 
system, handling of charging and statistical data, and signalling in the direction 
of the A interface and the system interface. 
5 The tasks of the base station controller include, inter alia, the selec- 

tion of the radio channel between the controller and a mobile station MS. For 
selecting the channel, the base station controller must have information on the 
radio channels and the interference levels on the idle channels. The base sta- 
tion controller performs mapping from the radio channel onto the PCM time 

10 slot of the link between the base station and the base station controller (i.e., 
onto a channel of the link). 

The base station controller BSC includes trunk interfaces, by 
which it is connected on the one hand to the mobile services switching center 
over the A interface and on the other hand to the base transceiver stations 

15 over the Abis interface. The transcoder and rate adaptation unit TRAU forms 
part of the base station system and may be incorporated into the base station 
controller or the mobile services switching center. The transcoders convert 
speech from a digital format to another, for example convert the 64 kbit/s PCM 
signals arriving from the mobile services switching center across the A inter- 

20 face into 1 3 kbit/s coded speech signals to be conveyed to the base station, 
and vice versa. Data rate adaptation is performed between the speed 64 kbit/s 
and the speed 3.6, 6, or 12 kbit/s. In a data application, the data does not pass 
through the transcoder. 

The base station controller configures, allocates and controls the 

25 downlink circuits. It also controls the switching circuits of the base station via a 
PCM signalling link, thus enabling effective utilization of PCM time slots. In 
other words, a branching unit at a base station, which is controlled by the base 
station controller, connects the transmitter/receivers to PCM links. Said 
branching unit transfers the content of a PCM time slot to the transmitter (or 

30 forwards it to the other base stations if the base stations are chained) and 
adds the content of the receive time slot to the PCM time slot in the reverse 
transmission direction. Hence, the base station controller establishes and re- 
leases the connections for the mobile station. 

The layer 1 physical interface between the base station BTS and the 

35 base station controller BSC is in this example a 2048 kbit/s PCM line, i.e. 
comprises 32 64 kbit/s time slots (= 2048 kbit/s). The base stations are fully 
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under the control of the base station controller. The base stations mainly com- 
prise transmitter/receivers providing a radio interface towards the mobile sta- 
tion. Four full-rate traffic channels arriving via the radio interface can be multi- 
plexed into one 64 kbit/s PCM channel between the base station controller and 
5 the base station, and hence the speed of one speech/data channel over this 
link is 16 kbit/s. Hence, one 64 kbit/s PCM link may transfer four speech/data 
connections. 

Figure 1 also shows the transfer rates used in the GSM system. The 
mobile station MS transmits speech data across the radio interface on the ra- 

10 dio channel for example at the standard rate 13 kbit/s. The base station re- 
ceives the data of the traffic channel and switches it to the 64 kbit/s time slot of 
the PCM link. Three other traffic channels of the same carrier are also located 
in the same time slot (i.e., channel), and hence the transfer rate per connec- 
tion is 16 kbit/s, as stated previously. The transcoder/rate adaptation unit 

1 5 TRAU converts the encoded digital information to the rate 64 kbit/s, and at this 
rate the data is transferred to the mobile services switching center. If the 
transcoder/rate adaptation unit is incorporated into the mobile services 
switching center, maximum advantage is gained from compressed speech in 
data transmission. 

20 In the latest solutions, base transceiver stations are chained in the 

manner shown by Figure 2, one after the other in such a way that each base 
transceiver station will take from the transmission network the traffic of the time 
slots allocated for its own (card) units and will switch the remaining time slots 
to the next base transceiver station. Hereby there is within one card unit of the 

25 base transceiver station (or between two different card units) a fixedly defined 
branch for branching the traffic to the base transceiver station which is next in 
the chain. In Figure 2, the first base transceiver station after the base station 
controller branches the traffic arriving from the base station controller into three 
different chains, and in each chain each base transceiver station will then re- 

30 ceive the data of those time slots, which are intended for its own units and will 
switch the data of other time slots forward in the chain. In the figure the refer- 
ence mark TRU is used to indicate these transmission units carrying out the 
branching. Using an additional unit (DMR) it is also possible to form e.g. a ra- 
dio link connection between base transceiver stations. In this example, the 

35 base station controller is connected through a separate cross-connection de- 
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vice XD to a first base transceiver station, wherein the arriving traffic is 
branched to three separate base transceiver station chains. 

In that part of the network which is in the uplink transmission direc- 
tion from the base transceiver stations, the traffic, however, usually goes un- 

5 encrypted from one network element to another. In the network part between 
base station controllers and base transceiver stations in particular it is hereby 
relatively easy to follow the traffic in the network, either the whole data flow or 
one or more individual time slots, e.g. a network management channel. 

In such network environments where data security is of special im- 

10 portance, encrypting of the data to be transmitted is performed when required 
also in the network part between base transceiver stations and base station 
controllers. This is carried out in such a way that to one or more legs where 
encryption of data is desired such devices are added which at the transmission 
end perform encryption of the data to be transmitted to the link and at the re- 

15 ception end perform decryption before the data is received. The devices are 
located outside the transmission equipment (e.g. the base transceiver station) 
proper. 

A drawback of such a solution is that it is difficult to process the en- 
crypted data flow, if e.g. it is transmitted from one system to another (e.g. if 
20 PCM signals are transmitted to a SDH (Synchronous Digital Hierarchy) sys- 
tem, between network parts owned by two separate operators or even just 
between two such pieces of transmission equipment, which have different 
transmission capacities. In practice the data must in fact always first be de- 
crypted, in order to reveal the standard signal format for processing. 

25 

Summary of the invention 

It is a purpose of the invention to eliminate the drawback described 
above and to bring about a method, using which it is possible to implement 
data security in a mobile network in such a way that processing of signals re- 
30 mains as simple as without encryption. 

This objective is attained by the solution defined in the independent 

claims. 

The idea of the invention is to perform data encryption in a card unit 
within the base transceiver station before framing of the data flow to be trans- 
35 mitted to the transmission network and, correspondingly, to perform decryption 
only after the frame structure of the received data has been disassembled and 
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the payload data has been separated from the frame information. In this way 
encryption can be performed without breaking against the requirements or 
provisions needed by the external interface of the network element, and pre- 
serving the standard signal format, whereby the signal can also be processed 
5 outside the base transceiver station in as simple a way as when processing an 
unencrypted signal. 

The network management channel is summed into the data stream 
to be transmitted before the encryption, so it is encrypted along with the other 
data. Thus no one else but the network operator can read or change the set- 

10 tings of network elements or their units in the network. In this way it is possible 
to prevent any paralysis of parts of the network or any momentary taking over 
of the network or its part for use by another operator. 

Not only does encryption make it more difficult to eavesdrop chan- 
nels but it also makes it more difficult e.g. for a competing operator to perform 

15 any monitoring of traffic volumes transmitted through the network. This is due 
to the fact that after encryption one can no longer tell on which channel there is 
traffic and on which there is none, because the bit pattern also of unused time 
slots will change as a result of the encryption. 

20 List of figures 

In the following the invention and its advantageous modes of em- 
bodiment will be described in greater detail referring to Figures 3 and 4 in the 
examples according to the appended drawings, wherein 

25 Figure 1 illustrates the structure of a GSM mobile network; 

Figure 2 shows base transceiver stations chained one after the other; 
Figure 3 illustrates the typical architecture of a base transceiver station; and 
Figure 4 illustrates a solution in accordance with the invention at a transmis- 
sion unit of a base transceiver station. 

30 

Detailed description of the invention 

The architecture of a base transceiver station is typically such as 
shown in Figure 3, that is, such that on the backplane BP or mother board of 
the base transceiver station those internal buses INB of the equipment are im- 
35 plemented, to which the card units of the base transceiver station are con- 
nected (card units are also called plug-in units). The card units of the base 
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transceiver station are typically transmission units and base transceiver station 
units. The transmission unit attends to the traffic between the transmission 
network and the base transceiver station and an external interface of the base 
transceiver station is formed therein for the transmission network. The base 
5 transceiver station unit for its part contains the base transceiver station's radio 
parts, which are connected to an antenna. The figure shows two base trans- 
ceiver station units and they are marked with the reference marks BSU1 and 
BSU2. The number of transmission card units is also two and they are marked 
with the reference marks TRU1 and TRU2. The number of transmission card 

10 units may vary and they may be equipped with access interfaces of many 
types. The transmission card units may also provide e.g. HDSL or ISDN inter- 
faces. Such interfaces are formed in the example shown in the figure through 
the front connectors (FC1 and FC2) of the transmission card units . 

Figure 4 illustrates the solution according to the invention in a base 

15 transceiver station of a cellular network. Since the encryption method accord- 
ing to the invention is implemented explicitly on the transmission card unit of 
the base transceiver station, the figure shows only one transmission card unit 
TRU of these card units of the base transceiver station. It is assumed in the 
example that a 2048 kbit/s PCM line is connected to the interface of the 

20 transmission card unit. Thus the interface towards the transmission network is 
in compliance with the recommendations of CCITT's (nowadays ITU-T) G.700 
series. 

In the transmission card unit there is first in the reception direction an 
interface block IB, where synchronization takes place with the incoming signal 

25 and where the line-coded signal (e.g. three-level HDB3 coding used on PCM 
lines) is changed into binary data. In the transmission direction the same ac- 
tions are performed in the opposite order, that is, the signal to be transmitted is 
adapted physically to the transmission path. 

From the interface block the data stream is switched in the reception 

30 direction to a framing block FB, where the frame structure of the signal to be 
received is disassembled. In other words, the useful data is separated from the 
frame information. In the transmission direction a frame structure to be trans- 
mitted is formed in the framing block for the interface from the bit stream to be 
transmitted (those bits are added to the data flow, which belong solely to the 

35 frame structure, e.g. the frame alignment bits). 
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In the reception direction the bit string to be received is then de- 
crypted in the encryption/decryption block EB. In the transmission direction 
encryption of the bit string to be transmitted is correspondingly performed in 
this block. The encryption may be performed by any method known as such, 
5 which provides a data security level which is sufficient for the environment in 
question. However, it is preferable to use such an encryption method, which 
will produce a bit string of equal length directly from the original bit string. 
However, it is also possible to use a solution, wherein the encrypted bit string 
resulting from the original bit string is shorter than the original. In such a case 

10 "stuffing bits" must be added to the encrypted bit string before the data is 
framed. It is also possible in principle to use such an encryption algorithm, 
which makes the encrypted bit string longer than the original, but this is the 
poorest alternative in the sense that the payload data capacity will be reduced. 
Encryption is preferably done in the bit flow on such a bit string, the integrity of 

1 5 which is known to remain over the transmission path. 

In the reception direction after the encryption block the bit flow is 
switched to the network management block NMB, where the network man- 
agement data contained in the bit flow is separated from the bit flow for the 
microcontroller MC of the card unit. Correspondingly, in the transmission di- 

20 rection the network management bits are summed under control by the micro- 
controller into the bit flow to be transmitted. (In practice, almost every card unit 
has its own controller, which controls the functions of the card unit.) 

To the other received time slots cross connection is performed in the 
cross-connection block XB, which is connected to the cross-connection bus 

25 XBUS (which is a part of the bus system INB on the backplane of the base 
transceiver station) between the units. In the cross-connection unit some time 
slots are connected to the radio unit of the own base transceiver station while 
some are connected to such interfaces, which are connected through the 
transmission path to other base transceiver stations. One or more such inter- 

30 face may also be in the same transmission card unit, because one transmis- 
sion card unit may have more than one interface. Correspondingly, in the 
transmission direction the cross-connection block is used to connect the con- 
tents of the base transceiver station's reception time slots or the contents of 
time slots received from other base transceiver stations to the correct time 

35 slots of the PCM signal to be transmitted from the desired interface. 
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Since the encryption and decryption are carried out in a manner 
known as such, it will not be described in greater detail in this connection. 
What is essential from the viewpoint of the invention is that the encryption and 
decryption are performed within the transmission card unit of the base trans- 
5 ceiver station between the cross connection performed by the card unit and 
the de-framing/framing. E.g. as seen in the reception direction, the place is that 
where the bit flow received from the transmission network is processed un- 
earned and that place which is located in the reception direction before the 
data is connected forward to the other units, preferably before bits are sepa- 

10 rated from the data even for use by the same transmission card unit. Corre- 
spondingly, in the transmission direction the preferable place is that where all 
information has already been summed into the bit flow to be transmitted, but 
where the bit flow is still in the form of unframed binary data. 

Figure 4 shows functional blocks contained in the transmission card 

15 unit TRU. The manner in which these blocks are located in physical circuits 
may vary in many ways. E.g. it is possible in practice to perform in the same 
circuit the implementation of the physical interface and the framing/de-framing. 
On the other hand, the blocks described above may be located in one cus- 
tomer circuit (application-specific integrated circuit), e.g. in such a way that the 

20 circuit includes all other blocks except the interface or the interface and the 
framing block. Thus the functional blocks described above can be integrated 
within one or more circuits. In addition, one circuit may have certain functions 
for more than one transmission connection, e.g. there may be several inter- 
faces in one line circuit. However, there are specific functional blocks for each 

25 interface. 

The encryption is preferably carried out on every leg of the network 
part between the base station controller and the base transceiver stations, so 
encryption may be performed not only in the base transceiver stations of Fig- 
ure 1 but also in the base station controller BSC and/or in the cross-connection 

30 device XD. But when moving from the base station controller towards the mo- 
bile services switching center, the capacities of transmission connections usu- 
ally become so high that an optical fiber is used as transmission medium in 
most cases. Hereby the same benefit can not be derived from encryption, 
since it is anyway difficult to eavesdrop an optical fiber. 

35 Decryption is always performed in the following network element 

containing the cross-connection of the same operator, so that multiple encryp- 
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tion will not result. If there are pieces of transmission equipment of another 
operator in between, no decryption need be done in these, because the signal 
can be processed in exactly the same manner as a normal non-encrypted sig- 
nal travelling in the network. 
5 Encryption may be carried out using a fixed encryption key, or the 

encryption key may be changed when desired. If it is desired to change the 
encryption keys constantly, this must be taken into account when the network 
capacity is determined. In other words, of the transmission capacity a part 
must be reserved for the transmission of encryption keys and/or synchroniza- 
10 tion information of the encryption. The network management may inform the 
base transceiver stations both about encryption keys and about the moment of 
their change or only about the moment of change, if the new encryption key is 
already known to the base transceiver station. Since the traffic must run con- 
stantly and since it is not desirable that at the moment of encryption key 
1 5 change a non-encrypted mode exists for a moment, the base transceiver sta- 
tions must be mutually synchronized so that they will change the encryption 
key at the right moment. For conveying this synchronization information one bit 
of the frame is sufficient, which bit may be conveyed e.g. in time slot TSO, if 
the signal is a 2048 kbit/s signal in accordance with ITU-T's G.703/G.704 rec- 
20 ommendations (in every second frame there is a frame alignment character in 
the TSO time slot, but in every second bits 4-8 are free for national use, 
whereby they may be used for transmission of synchronization information). 
For the synchronization information, bits may also be reserved from some 
other time slot, but hereby the necessary capacity must be taken from the ca- 
25 pacity reserved for the payload. 

New encryption keys may be conveyed e.g. on the network man- 
agement channel (e.g. time slot TS16 of a 2048 kbit/s signal). The base trans- 
ceiver station may also have an encryption key database, wherein all encryp- 
tion keys available to the base transceiver station are stored beforehand, e.g. 
30 when the network element is installed. Hereby no more than the above- 
mentioned synchronization information is sent from the network management 
system to inform when the encryption key is exchanged. The base transceiver 
stations may also count frames and change the encryption key e.g. always 
after a certain number of frames. 



WO 99/40742 PCT/FI99/00079 

10 



One base transceiver station may use several different encryption 
keys at the same time, since several transmission connections may start out 
from one base transceiver station. 

Owing to the solution in accordance with the invention, a data flow 

5 can be transmitted e.g. in leased links in a very simple manner without the 
owner of the links being able to find out the content of the data flow. Seen from 
outside the data flow appears to be a normal transmission connection and it 
meets the provisions of the standard. Thus it is possible to handle the data 
flow, e.g. transmit it between the own equipment and the lessor's equipment 

1 0 without having to take any additional steps due to encryption. 

Although the invention was described above referring to the exam- 
ples shown in the appended drawings, it is obvious that the invention is not 
limited to these, but it can be modified within the scope of the inventive idea 
presented in the appended claims. Also other data than mobile network traffic 

1 5 may be transmitted in the network. Although encryption of a bit flow is men- 
tioned in this connection, it is possible in the encryption block also to use a 
data scrambler, if the data security provided by this is sufficient in practice. 
However, when using a data scrambler the same level of data security is not 
achieved as when using encryption based on a key. However, the term 

20 "encryption" must be construed as meaning all the different alternatives, by 
which the data flow is changed into an unintelligible form. Nor is it necessary to 
perform cross connection in the base transceiver station in the manner de- 
scribed above (e.g. a base transceiver station located at the end of a chain). 
An individual interface may also be unidirectional, whereby only encryption or 

25 decryption is performed in it. It should also be noted that when the appended 
claims mention units of a base transceiver station, one unit does not necessar- 
ily correspond to one card unit, but a unit may be distributed to several card 
units or one card unit may have several units or parts of more than one unit. 
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Claims 

1. Method of implementing data transmission in a mobile network 

including 

- base transceiver stations (BTS) forming radio cells, 

5 - mobile stations (MS), which are located in the areas of the radio 

cells and which are in connection with the base transceiver stations through a 
radio path, and 

- at least one base station controller (BSC), which through a trans- 
mission network is in connection with the base transceiver stations, according 

10 to which method data is transmitted in an encrypted form in at least a part of 
the transmission network, 

characterized in that the encryption is performed in an inter- 
nal card unit (TRU) of the base transceiver station before framing of the bit 
stream to be transmitted to the transmission network. 

15 2. Method as defined in claim 1, characterized in that in the 

said internal card unit decryption is also performed of the data received from 
the transmission network, and that the decryption is performed after the de- 
framing of the frame structure of the received signal. 

3. Method as defined in claim 2, characterized in that net- 
20 work management information is added to the data to be transmitted before 

encryption of the data to be transmitted. 

4. Method as defined in claim 2, characterized in that en- 
cryption is used on every link starting out from an individual base transceiver 
station towards the base station controller. 

25 5. Method as defined in claim 4, characterized in that de- 

cryption is always performed in that next network element possessed by the 
same operator, wherein cross connection is performed. 

6. Method as defined in claim 1, characterized in that the 
encryption uses an encryption key, which is changed at certain intervals of 

30 time. 

7. Method as defined in claim 6, characterized in that the 
encryption keys used are transmitted to the base transceiver stations through 
the transmission network. 

8. Method as defined in claim 6, characterized in that the 
35 change of encryption key is synchronized through the transmission network. 
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9. Base transceiver station of a mobile network, which by way of a 
radio path is in connection with mobile stations (MS) located in the area of a 
cell formed by the base transceiver station and through a transmission network 
with means (MSC) controlling the base transceiver station, which base trans- 
5 ceiver station includes 

- at least one transmission unit (TRU), which forms at least one in- 
terface (IB) towards the transmission network, 

- at least one unit, which forms a radio interface towards the mobile 
stations (MS), and 

10 - an internal bus system (INB) including several buses to which the 

units are connected and with the aid of which the units are in connection with 
one another, 

whereby framing means (FB) pertain to at least one individual inter- 
face for framing the data flow to be transmitted before its transmission through 
1 5 the interface to the transmission network, 
characterized in that 

- the transmission unit (TRU) also includes encryption means (EB) 
for encryption of the data to be transmitted to the interface, said means being 
located so that in the transmission direction they are located before the said 

20 framing means. 

1 0. Base transceiver station of a mobile network, which by way of a 
radio path is in connection with mobile stations (MS) located in the area of a 
cell formed by the base transceiver station and through a transmission network 
with means (MSC) controlling the base transceiver station, which base trans- 

25 ceiver station includes 

- at least one transmission unit (TRU), which forms at least one in- 
terface (IB) towards the transmission network, 

- at least one unit forming a radio interface towards the mobile sta- 
tions (MS), and 

30 - an internal bus system (INB) including several buses, to which the 

units are connected and with the aid of which the units are in connection with 
one another, 

whereby de-framing means (FB) pertain to at least one individual 
interface for disassembling the frame structure of the signal to be received 
35 through the interface, 

characterized in that 
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- the transmission unit (TRU) also includes decryption means (EB) 
for decryption of the signal received through the interface, said means being 
located in such a way that in the reception direction they are located after the 
de-framing means. 
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